Detriments of Ransomware Threats: The Big Head Deception

Written By Joel Lee

The Big Head ransomware is a recently emerged strain and has garnered significant attention due to its propagation through deceptive malvertising campaigns. It has the ability to display a fake Windows update during the encryption process and Microsoft Word installers. The following sections provide a detailed analysis of the infection routine, encryption techniques, and variants of the Big Head ransomware.

Infection Routine

Big Head ransomware, a .NET binary, installs three AES-encrypted files on the target system. These files include a component for malware propagation, another for Telegram bot communication, and a third file responsible for encrypting victim files while presenting a fake Windows update to the user. During execution, the ransomware modifies the victim's registry, overwrites files, if necessary, sets system file attributes, and disables the Task Manager.

Encryption Process

The ransomware assigns each victim a unique ID retrieved from the %appdata%\ID directory or generated using a random 40-character string. Before encrypting the targeted files, the ransomware deletes shadow copies to hinder system restoration. It appends the ".poop" extension to the filenames of encrypted files. Notably, certain directories such as Windows, Recycle Bin, Program Files, Temp, Program Data, Microsoft, and App Data are excluded from encryption to prevent rendering the system unusable.

Variants

Trend Micro's analysis uncovered two additional variants of the Big Head ransomware. The second variant retains ransomware capabilities while incorporating data-stealing behavior. It can collect and exfiltrate sensitive information, including browsing history, directories, installed drivers, running processes, product keys, active networks, and screenshots. The third variant features a file infector called "Neshta," which inserts malicious code into executables on compromised systems. The purpose of this variant is speculated to evade signature-based detection mechanisms.

Recommended Mitigation

To mitigate the risk of Big Head ransomware infections, organizations and individuals are advised to implement the following measures:

  • Be cautious when encountering malvertising campaigns promoting fake Windows updates or suspicious Microsoft Word installers. Avoid clicking on suspicious ads or downloading software from untrusted sources.

  • Regularly update software and operating systems with the latest security patches to address vulnerabilities.

  • Deploy and maintain up-to-date security solutions, including antivirus and anti-malware software, firewalls, and intrusion detection/prevention systems.

  • Avoid interacting with unsolicited emails or attachments.

Additional Information

According to cyber-intelligence firm KELA, the main author of Big Head ransomware is likely of Indonesian origin. The firm discovered a user on Telegram using the same names and avatars found in Big Head's ransom note. The user, who claims to be a "ransomware expert" and operates under the names "Big Head" and "BLACKHAT HACKER INDONESIA," had been seeking assistance from other members to create a ransomware builder and related tools.

 

In conclusion, although Big Head is not considered a sophisticated ransomware strain, its encryption methods and evasion techniques are relatively standard and easy to detect. The ransomware primarily targets consumers who may be deceived by simple tricks like the fake Windows update or lack the necessary understanding to protect themselves from cybersecurity risks. The existence of multiple variants suggests ongoing development and refinement by the threat actor.

 

Joel Lee
Previous

Evolving Malware Attacks: The LokiBot Trojan
Next

Detriments of Ransomware Threats: BlackCat’s New Attack Vector